1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Site installed .exe - tried to fix and think I deleted something important

Discussion in 'Virus & Other Malware Removal' started by marie500, Apr 9, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. marie500

    marie500 Thread Starter

    Joined:
    May 6, 2002
    Messages:
    829
    A song lyric site installed something called MOSC.exe. It asked for internet access (as "client") and I immediately said No, and made a rule to Block it. Spybot didn't find it but Hijack This showed it as an 04-Run entry in System 32. I checked there and saw that it had been installed today.

    (Before I could work on deleting it, another user HAD to get on the computer so I let her switch to her screen. She now has a Windows Media Player setup icon in her tray.)

    Then I went back to my screen to see if Hijack could delete the MOSC.exe file.
    I'm sorry I didn't check with you first....I got carried away.
    I deleted it, PLUS a local hosts file. That was wrong of me. Hijack This says it can't open the hosts file, and if something is in there that needs to be deleted, I'm sunk. Plus I deleted one other thing that had a very weird name I'd never seen before and was some kind of Extra Toolbar/Button. That was probably okay to get rid of...but the local hosts file...I blew it.

    It is in HT backup but I can't open it and don't know how to restore it. I will leave the MOSC.exe deleted. I'm SO sorry I didn't check with you first, I thought I was doing the right thing. I'm an idiot.
     
  2. marie500

    marie500 Thread Starter

    Joined:
    May 6, 2002
    Messages:
    829
    I probably should have my head examined...I went ahead and did a System Restore.

    The local Hosts file is back. (Yay? That's good...right?))

    FYI, this is what I deleted through HT (copied from the first log I saved):
    O4 - HKLM\..\Run: [MOSC] C:\WINDOWS\System32\MOSC.exe

    I deleted something else, possibly this:
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    but it's still there...I don't know what it is.

    Since I'm obviously an incompetent boob, could you look/help with the current log file? Is the NAV and NIS stuff running for all users, as it should be? A few things look weird to me but I don't want to touch ANYTHING!

    Logfile of HijackThis v1.96.1
    Scan saved at 7:55:56 PM, on 4/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Norton Internet Security\IAMAPP.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\12Ghosts\12window.exe
    C:\Program Files\12Ghosts\12autosl.exe
    C:\Program Files\12Ghosts\12color.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\unzipped\hijackthis196\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
    O2 - BHO: (no name) - {00000000-0007-5041-4354-0020e48020af} - F:\Mom's F Drive Folder\Just-Window\12popup.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - F:\Mom's F Drive Folder\Just-Window\12popup.dll
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKCU\..\Run: [CookieJar] C:\Program Files\Cookie Jar\CookieJar.exe /qd_banned /qd_undecided
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Startup: 12Ghosts JustAWindow.lnk = C:\Program Files\12Ghosts\12window.exe
    O4 - Startup: 12Ghosts SaveLayout.lnk = C:\Program Files\12Ghosts\12autosl.exe
    O4 - Startup: 12Ghosts SetColor.lnk = C:\Program Files\12Ghosts\12color.exe
    O4 - Startup: Copy of 12Ghosts SetColor.lnk = C:\Program Files\12Ghosts\12color.exe
    O4 - Startup: Set Color Now.lnk = C:\Program Files\12Ghosts\12color.exe
    O4 - Startup: Shortcut to XP_UserDisplay.exe.lnk = C:\Program Files\XP_UserDisplay.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37891.6833101852
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
     
  3. marie500

    marie500 Thread Starter

    Joined:
    May 6, 2002
    Messages:
    829
    I hope someone will help with this.
    TDS-3 says it was: trojan.win32.revop.c
    I thought TDS-3 was able to delete it; a subsequent scan came up clean as did an online Panda and my own NAV. But something still just isn't right. Things are slow and feel different. I'm suspicious of everything I see in my running process list.
    Logfile of HijackThis v1.96.1
    Scan saved at 1:17:44 AM, on 4/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Norton Internet Security\IAMAPP.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\12Ghosts\12window.exe
    C:\Program Files\12Ghosts\12autosl.exe
    C:\Program Files\12Ghosts\12color.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\Explorer.EXE
    C:\unzipped\hijackthis196\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
    O2 - BHO: (no name) - {00000000-0007-5041-4354-0020e48020af} - F:\Mom's F Drive Folder\Just-Window\12popup.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - F:\Mom's F Drive Folder\Just-Window\12popup.dll
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKCU\..\Run: [CookieJar] C:\Program Files\Cookie Jar\CookieJar.exe /qd_banned /qd_undecided
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Startup: 12Ghosts JustAWindow.lnk = C:\Program Files\12Ghosts\12window.exe
    O4 - Startup: 12Ghosts SaveLayout.lnk = C:\Program Files\12Ghosts\12autosl.exe
    O4 - Startup: 12Ghosts SetColor.lnk = C:\Program Files\12Ghosts\12color.exe
    O4 - Startup: Copy of 12Ghosts SetColor.lnk = C:\Program Files\12Ghosts\12color.exe
    O4 - Startup: Set Color Now.lnk = C:\Program Files\12Ghosts\12color.exe
    O4 - Startup: Shortcut to XP_UserDisplay.exe.lnk = C:\Program Files\XP_UserDisplay.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37891.6833101852
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
     
  4. marie500

    marie500 Thread Starter

    Joined:
    May 6, 2002
    Messages:
    829
    Still anxious for someone to help..!
    Anyway, the two other things that showed up in the TDS scan with trojanwin32.revop.c were nameed "pup" - I searched on the computer and I have two of them in C:\Windows\Prefetch:
    PUP.EXE-2FED3F64.pf
    PUP.EXE-02C976EB.pf

    Googling those terms leads me to sites on trojans, hacks, etc.

    Also created yesterday are these new entries in my System 32 folder:
    PerfStringBackup.ini
    PerfH009.dat
    PerfC009.dat


    I really need help, guys. What should I do???!!
     
  5. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    1st thing you should do Marie is calm down..........you have nothing to worry about ok?
    "C:\WINDOWS\System32\msdxm.ocx"
    ActiveX Control used by Windows Media Player.
    Delete everything in C:\Windows\Prefetch

    PerfStringBackup.ini
    PerfH009.dat
    PerfC009.dat are performance counters/backups Do not delete them

    Update your version of HijackThis (yours is slightly old)and post another log.
    ;)
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    revop.c is the latest version of winpup and adaware should remove that one easily

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described
    AdAware 6 from http://www.lavasoft.de/support/download


    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R282 10.04.2004 or a higher number/later date

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then post a new hijackthis log to check what is left
     
  7. marie500

    marie500 Thread Starter

    Joined:
    May 6, 2002
    Messages:
    829
    Adaware doesn't acknowledge them and I used the newest reference file. I ran it yesterday and it found nothing then either. Nor did Spybot. I ran SB yesterday before doing anything and again just now, it's congratulating me. Only TDS alerted to trojan.win32.revop.c and two pup things late last night. This was after getting a clean bill from Adaware and Spybot yesterday evening.

    Remember, I did things yesterday that were stupid - deleted local hosts file, did a system restore to get it back.

    I googled "winpups" - says they generate lots of popup ads? I'm not getting that. I did for awhile yesterday, they said things like "If your system is behaving strangely you might have spyware! CLICK HERE!" (...um, no thanks.)

    The TDS scan doesn't alert to the two pup .exes that are still there.
    What now?
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    if the 2 pup things are in the prefetch folder delete them
    in fact delete everything in prefetch and reboot

    Adaware isn't finding them because TDS has already killed the active infection for you
     
  9. marie500

    marie500 Thread Starter

    Joined:
    May 6, 2002
    Messages:
    829
    The Prefetch folder is now empty and here is my current log after reboot:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:51:09 PM, on 4/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Norton Internet Security\IAMAPP.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\12Ghosts\12window.exe
    C:\Program Files\12Ghosts\12autosl.exe
    C:\Program Files\12Ghosts\12color.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\Explorer.EXE
    C:\unzipped\hijackthis new\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
    O2 - BHO: (no name) - {00000000-0007-5041-4354-0020e48020af} - F:\Mom's F Drive Folder\Just-Window\12popup.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - F:\Mom's F Drive Folder\Just-Window\12popup.dll
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKCU\..\Run: [CookieJar] C:\Program Files\Cookie Jar\CookieJar.exe /qd_banned /qd_undecided
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Startup: 12Ghosts JustAWindow.lnk = C:\Program Files\12Ghosts\12window.exe
    O4 - Startup: 12Ghosts SaveLayout.lnk = C:\Program Files\12Ghosts\12autosl.exe
    O4 - Startup: 12Ghosts SetColor.lnk = C:\Program Files\12Ghosts\12color.exe
    O4 - Startup: Copy of 12Ghosts SetColor.lnk = C:\Program Files\12Ghosts\12color.exe
    O4 - Startup: Set Color Now.lnk = C:\Program Files\12Ghosts\12color.exe
    O4 - Startup: Shortcut to XP_UserDisplay.exe.lnk = C:\Program Files\XP_UserDisplay.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37891.6833101852
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/218850

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice